<b><i>Commentary: </b></i>Playing with Privacy

To enhance productivity, companies such as Entellium are redesigning business software using interactive game techniques. Customer-relationship management software users, for example, can build a dossier of clients and sales prospects that include photographs and lists of likes, dislikes and buying interests like character descriptions in popular role-playing games.

Additionally, Web-based functionality is increasingly mobile. We can call, e-mail or text-message while listening to music, watching videos or playing games, all from one hand-held device. We can also locate friends on-the-go with inexpensive, buddy-finder applications (e.g., Boost Loopt). With buddy-finder tools, users can find each other offline by joining a closed social network that appears as dots on a mobile device.

To complicate matters, according to an April 2007 Pew Internet & American Life Project study on social networks, American teens lead the trend toward ubiquitous Web-based connectivity. In fact, about 55% of American teens already have social networking profiles online. Of those teens with online profiles, about 32% said a total stranger had tried to contact them. Needless to say, ubiquitous connectivity can make supervising online behavior even more challenging for parents.

Not far behind, companies see the opportunity and are exploring new ways to promote goods through viral marketing. According to a recent Forrester Research survey, 20% of marketers currently use social networking to promote products, and about 60% are expected to do so by the end of 2007.

Harvesting Player Profiles

Among those companies leading the pack is Google. In a recent patent application, for example, Google revealed its plans to compile millions of psychological profiles
on users playing massively multiplayer online role-playing games. Specifically, Google will glean information about user activities on popular role-playing games such as World of Warcraft and Second Life, and track online decisions to predict offline behavior. Google will then sell that information to advertisers.

This shift in the way we socialize online, however, is leaving U.S. policymakers puzzled on how best to address how users ' particularly young ones ' behave online. In April alone, for example, Michigan authorities charged a Texas man with criminal sexual conduct involving a 14-year-old girl he met on MySpace. And the FBI inspected Second Life's virtual community to investigate allegations (and the legal implications) of gambling in an online setting.

Yet the policy concerns surrounding virtual communities and social networking are broad and difficult to pin down. Popular social networks typically have well over 100 million registered users. Managing these crowded environments parallels the real-world challenges of managing a major city.

So what can U.S. policymakers do to create a safe virtual environment without stifling technological advancements?

Legislative Proposals

About a half-dozen states have proposed laws aimed at excluding minors from social networks by requiring Web site operators to verify the age of every user and requiring parental permission for those under 18. Connecticut and North Carolina are among those states leading the way for new legislation. But it remains unclear if these proposals will have a meaningful impact.

In Connecticut's bill (6981), for example, social networking Web site operators must first obtain a parent's written permission before allowing any minor to create an online profile. To accomplish this goal, Connecticut's bill requires social networking Web sites to independently verify the accuracy of personal information collected from all users. But the bill doesn't guide operators on how to verify user identity.

The push to regulate social networks stems from the apparent lack of reliable tools available to verify users online. In the legislative history of a similar bill in New York (A8022), legislators explained that existing age verification mechanisms online simply aren't working: 'MySpace.com, for example, has a minimum age of 14 for participation, but children simply say they are over 14 when registering, and no one checks to verify the information.'

But these proposals could face at least two formidable obstacles. One, the federal Communications Decency Act ('CDA'), offers Web site operators broad immunity against deceptive user statements. Congress gave operators this immunity to promote the Internet's continued development. So, if a minor lies about his or her age (at least 46% admit to posting false information online) to circumvent the site's registration system, then an operator would not be held liable under federal law. This federal immunity could significantly undermine any punishment created under state law.

Two, current proposals create an informational tug-of-war because verifying minors necessarily requires some entity to collect, store and share precisely the sensitive information that all users should try to protect. Moreover, as of today, no single entity can reliably verify minors online. And even if such an entity existed, many fear that it would be a prime target for child predators.

Yet the bigger question is, how would these legislative proposals address the privacy and safety concerns that lie ahead? What impact would they have on the infectious popularity of virtual worlds? And how can users truly feel safe in a social environment that's covertly storing and selling their psychological profiles?

Time for a New Approach

Given these legal hurdles, combined with our commercial, technical and cultural trends, we need a new approach. Albert Einstein noted: 'We can't solve problems with the same kind of thinking we used when we created them.' And such is the case for us here.

For starters, the Children's Online Privacy Protection Act ('COPPA') has played an inexplicably obscure role in the social networking debate. COPPA already governs the way commercial operators interact with children under 13. Among other things, COPPA requires operators to obtain verifiable parental consent before collecting personal information from child users. Plus, COPPA empowers state attorneys general to bring their own actions against violators.

Yet, as part of our ongoing online safety debate, no one has proposed toughening COPPA's statutory age requirement (e.g., 16 years old). This oversight may result in a missed opportunity for two reasons. First, since being enacted in 1998, COPPA has not been challenged in federal court. Second, COPPA's language already encourages operators to continually evaluate 'available technology' to carry out its congressional mandate of protecting minors through parental notice and consent. The problem is market forces haven't forced operators to evaluate available technology.

Additionally, no one has seriously explored measures that will set the stage for the marketplace to find its own innovative solutions to the online safety dilemma ' solutions that could identify someone as eligible to join a social networking site without retaining (or requiring another entity to retain) information about that individual.

Take California's SB 1386, for example. SB 1386 single-handedly catapulted data protection in the United States to the stratosphere by shedding light on what was previously an internal corporate matter. This law forced companies to disclose every major data breach of sensitive customer information. That's it. And with that seemingly simple legal requirement, most companies found the necessary business incentives to adequately guard consumer data. Even though companies continue to lose sensitive information, the stakes are much higher.

Could a similar transparency initiative give operators the necessary business incentives to better address the evident social networking safety concerns?

No doubt, legislators should act. But they must do so in a way that fosters meaningful solutions. Before we can solve the social networking dilemma, we must first grasp the cultural nuances of virtual communities and the potential implications of any new proposals. Otherwise, our rush to respond may fail to fully address those important concerns.

To enhance productivity, companies such as Entellium are redesigning business software using interactive game techniques. Customer-relationship management software users, for example, can build a dossier of clients and sales prospects that include photographs and lists of likes, dislikes and buying interests like character descriptions in popular role-playing games.

Additionally, Web-based functionality is increasingly mobile. We can call, e-mail or text-message while listening to music, watching videos or playing games, all from one hand-held device. We can also locate friends on-the-go with inexpensive, buddy-finder applications (e.g., Boost Loopt). With buddy-finder tools, users can find each other offline by joining a closed social network that appears as dots on a mobile device.

To complicate matters, according to an April 2007 Pew Internet & American Life Project study on social networks, American teens lead the trend toward ubiquitous Web-based connectivity. In fact, about 55% of American teens already have social networking profiles online. Of those teens with online profiles, about 32% said a total stranger had tried to contact them. Needless to say, ubiquitous connectivity can make supervising online behavior even more challenging for parents.

Not far behind, companies see the opportunity and are exploring new ways to promote goods through viral marketing. According to a recent Forrester Research survey, 20% of marketers currently use social networking to promote products, and about 60% are expected to do so by the end of 2007.

Harvesting Player Profiles

Among those companies leading the pack is Google. In a recent patent application, for example, Google revealed its plans to compile millions of psychological profiles
on users playing massively multiplayer online role-playing games. Specifically, Google will glean information about user activities on popular role-playing games such as World of Warcraft and Second Life, and track online decisions to predict offline behavior. Google will then sell that information to advertisers.

This shift in the way we socialize online, however, is leaving U.S. policymakers puzzled on how best to address how users ' particularly young ones ' behave online. In April alone, for example, Michigan authorities charged a Texas man with criminal sexual conduct involving a 14-year-old girl he met on MySpace. And the FBI inspected Second Life's virtual community to investigate allegations (and the legal implications) of gambling in an online setting.

Yet the policy concerns surrounding virtual communities and social networking are broad and difficult to pin down. Popular social networks typically have well over 100 million registered users. Managing these crowded environments parallels the real-world challenges of managing a major city.

So what can U.S. policymakers do to create a safe virtual environment without stifling technological advancements?

Legislative Proposals

About a half-dozen states have proposed laws aimed at excluding minors from social networks by requiring Web site operators to verify the age of every user and requiring parental permission for those under 18. Connecticut and North Carolina are among those states leading the way for new legislation. But it remains unclear if these proposals will have a meaningful impact.

In Connecticut's bill (6981), for example, social networking Web site operators must first obtain a parent's written permission before allowing any minor to create an online profile. To accomplish this goal, Connecticut's bill requires social networking Web sites to independently verify the accuracy of personal information collected from all users. But the bill doesn't guide operators on how to verify user identity.

The push to regulate social networks stems from the apparent lack of reliable tools available to verify users online. In the legislative history of a similar bill in New York (A8022), legislators explained that existing age verification mechanisms online simply aren't working: 'MySpace.com, for example, has a minimum age of 14 for participation, but children simply say they are over 14 when registering, and no one checks to verify the information.'

But these proposals could face at least two formidable obstacles. One, the federal Communications Decency Act ('CDA'), offers Web site operators broad immunity against deceptive user statements. Congress gave operators this immunity to promote the Internet's continued development. So, if a minor lies about his or her age (at least 46% admit to posting false information online) to circumvent the site's registration system, then an operator would not be held liable under federal law. This federal immunity could significantly undermine any punishment created under state law.

Two, current proposals create an informational tug-of-war because verifying minors necessarily requires some entity to collect, store and share precisely the sensitive information that all users should try to protect. Moreover, as of today, no single entity can reliably verify minors online. And even if such an entity existed, many fear that it would be a prime target for child predators.

Yet the bigger question is, how would these legislative proposals address the privacy and safety concerns that lie ahead? What impact would they have on the infectious popularity of virtual worlds? And how can users truly feel safe in a social environment that's covertly storing and selling their psychological profiles?

Time for a New Approach

Given these legal hurdles, combined with our commercial, technical and cultural trends, we need a new approach. Albert Einstein noted: 'We can't solve problems with the same kind of thinking we used when we created them.' And such is the case for us here.

For starters, the Children's Online Privacy Protection Act ('COPPA') has played an inexplicably obscure role in the social networking debate. COPPA already governs the way commercial operators interact with children under 13. Among other things, COPPA requires operators to obtain verifiable parental consent before collecting personal information from child users. Plus, COPPA empowers state attorneys general to bring their own actions against violators.

Yet, as part of our ongoing online safety debate, no one has proposed toughening COPPA's statutory age requirement (e.g., 16 years old). This oversight may result in a missed opportunity for two reasons. First, since being enacted in 1998, COPPA has not been challenged in federal court. Second, COPPA's language already encourages operators to continually evaluate 'available technology' to carry out its congressional mandate of protecting minors through parental notice and consent. The problem is market forces haven't forced operators to evaluate available technology.

Additionally, no one has seriously explored measures that will set the stage for the marketplace to find its own innovative solutions to the online safety dilemma ' solutions that could identify someone as eligible to join a social networking site without retaining (or requiring another entity to retain) information about that individual.

Take California's SB 1386, for example. SB 1386 single-handedly catapulted data protection in the United States to the stratosphere by shedding light on what was previously an internal corporate matter. This law forced companies to disclose every major data breach of sensitive customer information. That's it. And with that seemingly simple legal requirement, most companies found the necessary business incentives to adequately guard consumer data. Even though companies continue to lose sensitive information, the stakes are much higher.

Could a similar transparency initiative give operators the necessary business incentives to better address the evident social networking safety concerns?

No doubt, legislators should act. But they must do so in a way that fosters meaningful solutions. Before we can solve the social networking dilemma, we must first grasp the cultural nuances of virtual communities and the potential implications of any new proposals. Otherwise, our rush to respond may fail to fully address those important concerns.